<?xml version="1.0" encoding="utf-8"?>
<!-- This Source Code Form is subject to the terms of the Mozilla Public
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
  "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"[
  <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" >
  %brandDTD;
]>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Certificate Manager</title>
<link rel="stylesheet" href="helpFileLayout.css"
  type="text/css"/>
</head>
<body>

<div class="boilerPlate">This document is provided for your information only.
  It may help you take certain steps to protect the privacy and security of
  your personal information on the Internet. This document does not, however,
  address all online privacy and security issues, nor does it represent a
  recommendation about what constitutes adequate privacy and security
  protection on the Internet.</div>

<h1 id="certificate_manager">Certificate Manager</h1>

<p>This section describes how to use the Certificate Manager. For more
  information on using certificates, see <a href="using_certs_help.xhtml">Using
  Certificates</a>.</p>

<p>If you are not currently viewing the Certificate Manager window, follow
  these steps:</p>

<ol>
  <li>Open the <span class="mac">&brandShortName;</span>
    <span class="noMac">Edit</span> menu and choose Preferences.</li>
  <li>Under the Privacy &amp; Security category, click Certificates. (If no
    subcategories are visible, double-click Privacy &amp; Security to expand
    the list.)</li>
  <li>Click Manage Certificates.</li>
</ol>

<div class="contentsBox">In this section:
  <ul>
    <li><a href="#your_certificates">Your Certificates</a></li>
    <li><a href="#people">People</a></li>
    <li><a href="#servers">Servers</a></li>
    <li><a href="#authorities">Authorities</a></li>
    <li><a href="#others">Others</a></li>
  </ul>
</div>

<h2 id="your_certificates">Your Certificates</h2>

<p>The Your Certificates tab in the <a href="#certificate_manager">Certificate
  Manager</a> displays the certificates on file that identify you. Your
  certificates are listed under the names of the organizations that issued
  them. If you can&apos;t see certificate names under an organization&apos;s
  name, double-click the name to expand it.</p>

<p>Use the following buttons to view and manage your certificates (most actions
  require one or more certificates to be selected):</p>

<ul>
  <li><strong>View</strong>: Display detailed information about the selected
    certificates.</li>
  <li><strong>Backup</strong>: Initiate the process of saving the selected
    certificates. A window appears that allows you to choose a password to
    protect the backup. You can then save the backup in a directory of your
    choice.</li>
  <li><strong>Backup All</strong>: Initiate the process of saving all the
    certificates stored in the
    <a href="glossary.xhtml#software_security_device">Software Security
    Device</a>.

    <p><strong>Note</strong>: Certificates on smart cards cannot be backed up.
      Whether you select some of your certificates and click Backup, or click
      Backup All, the resulting backup file will not include any certificates
      stored on smart cards or other external security devices. You can only
      back up certificates that are stored on the built-in Software Security
      Device.</p>
  </li>
  <li><strong>Import</strong>: Import a file containing one or more
    certificates that were previously backed up. When you click Import,
    Certificate Manager first asks you to locate the file that contains the
    backup. The names of certificate backup files typically end in
    <tt>.p12</tt>; for example, <tt>MyCert.p12</tt>. After you select the file
    to be imported, Certificate Manager asks you to enter the password that you
    set when you backed up the certificate.</li>
  <li><strong>Delete</strong>: Delete the selected certificates.</li>
</ul>

<h3 id="choose_a_certificate_backup_password">Choose a Certificate Backup
  Password</h3>

<p>A certificate backup password protects one or more certificates that you are
  backing up from the <a href="#your_certificates">Your Certificates</a> tab in
  the Certificate Manager.</p>

<p>The Certificate Manager asks you to set this password when you back up
  certificates, and requests it when you attempt to import certificates that
  have previously been backed up.</p>

<ul>
  <li><strong>Certificate backup password</strong>: Type your backup password
    into this field.</li>
  <li><strong>Certificate backup password (again)</strong>: Type your backup
    password again. If you don&apos;t type it the second time exactly as you
    did the first time, the OK button remains inactive. If this happens, try
    typing the new password again.</li>
</ul>

<p>If someone obtains the file containing a certificate that you have backed up
  and successfully imports the certificate, that person can send messages or
  access websites while pretending to be you. This can be a problem, for
  example, if you digitally sign important email messages or manage your bank
  or investment accounts over the Internet.</p>

<p>Therefore, it&apos;s important to select a certificate backup password that
  is difficult to guess. The <strong>password quality meter</strong> gives you
  a rough idea of the quality of your password as you type it based on factors
  such as length and the use of uppercase letters, lowercase letters, numbers,
  and symbols. It does not guarantee that your password cannot be guessed,
  however.</p>

<p>For further guidelines, see
  <a href="passwords_help.xhtml#choosing_a_good_password">Choosing a Good
  Password</a>.</p>

<p>It&apos;s also important to record the password in a safe place&mdash;and
  not anywhere that&apos;s easily accessible to someone else. If you forget
  this password, you can&apos;t import the backup of your certificate.</p>

<h3 id="delete_your_certificates">Delete Your Certificates</h3>

<p>Before deleting one of your own expired certificates from the
  <a href="#your_certificates">Your Certificates</a> tab in the Certificate
  Manager, make sure you won&apos;t need it again some day for reading old
  email messages that you may have encrypted with the corresponding private
  key.</p>

<h2 id="people">People</h2>

<p>The People tab in the <a href="#certificate_manager">Certificate Manager</a>
  displays email certificates you have on file that identify other people.</p>

<p>When people send you digitally signed email messages, Certificate Manager
  imports their certificates automatically. You can use these certificates to
  send encrypted messages to those people.</p>

<p>Certificates that identify people are listed under the names of the
  organizations that issued them. If you can&apos;t see certificate names under
  an organization&apos;s name, double-click the name to expand it.</p>

<p>Use the following buttons to view and manage your certificates (most actions
  require one or more certificates to be selected):</p>

<ul>
  <li><strong>View</strong>: Display detailed information about the selected
    certificates.</li>
  <li><strong>Edit</strong>: View or change the trust settings that Certificate
    Manager associates with the selected certificates. You can use these
    settings to designate an email certificate as one that you trust or
    don&apos;t trust for identification purposes.</li>
  <li><strong>Import</strong>: Import a file containing one or more
    certificates. When you click Import, Certificate Manager first asks you
    to locate the file that contains the certificate(s).</li>
  <li><strong>Export</strong>: Export the selected certificates. You can
    choose among various formats.</li>
  <li><strong>Delete</strong>: Delete the selected certificates.</li>
</ul>

<h3 id="delete_email_certificates">Delete Email Certificates</h3>

<p>Before deleting someone else&apos;s certificate from the
  <a href="#people">People</a> tab in the Certificate Manager, make sure you
  won&apos;t need it again some day to send encrypted email to that person or
  to verify digital signatures on messages from that person.</p>

<h2 id="servers">Servers</h2>

<p>The Servers tab in the Certificate Manager displays certificates you have
  on file that identify servers (websites, mail servers).</p>

<p>Certificates that identify servers are grouped under the names of the
  organizations that issued them. If you can&apos;t see certificate names under
  an organization&apos;s name, double-click the name to expand it.</p>

<p>Use the following buttons to view and manage your certificates (most actions
  require one or more certificates to be selected):</p>

<ul>
  <li><strong>View</strong>: Display detailed information about the selected
    certificates.</li>
  <li><strong>Edit</strong>: View or change the trust settings that Certificate
    Manager associates with the selected certificates. You can use these
    settings to designate a website certificate as one that you trust or
    don&apos;t trust for identification purposes.</li>
  <li><strong>Import</strong>: Import a file containing one or more
    certificates. When you click Import, Certificate Manager first asks you
    to locate the file that contains the certificate(s).</li>
  <li><strong>Export</strong>: Export the selected certificates. You can
    choose among various formats.</li>
  <li><strong>Delete</strong>: Delete the selected certificates.</li>
  <li><strong>Add Exception</strong>: Add a security exception for a server
    (website, mail server) that identifies itself with invalid information.
    This is an advanced feature, act with caution.</li>
</ul>

<h3 id="edit_website_certificate_trust_settings">Edit Website Certificate
  Trust Settings</h3>

<p>When you select a website certificate from the
  <a href="#servers">Servers</a> tab in the Certificate Manager and click Edit,
  you see a window entitled <q>Edit website certificate trust settings</q>.
  Here you specify whether you want to trust the selected certificate for
  identifying the website and setting up an encrypted connection.</p>

<p>The dialog box contains these elements:</p>

<ul>
  <li><strong>The certificate <q><em>name of certificate</em></q> was
    issued by</strong>: Provides information about the
    <a href="glossary.xhtml#certificate_authority">certificate authority</a>
    that issued this certificate.</li>
  <li><strong>Edit certificate trust settings</strong>:
    <ul>
      <li><strong>Trust the authenticity of this certificate</strong>: If you
        select this option, Certificate Manager will henceforth trust this
        certificate for the purposes of identifying this website or setting up
        an encrypted connection. If you select this option and then attempt to
        visit the website, your browser will access the site with few, if any,
        warnings.</li>
      <li><strong>Do not trust the authenticity of this certificate</strong>:
        If you select this option, Certificate Manager will no longer trust
        this certificate for the purposes of identifying this website or
        setting up an encrypted connection. If you select this option and
        then attempt to visit the website, you will see one or more warning
        messages before you can access the site.</li>
    </ul>
  </li>
  <li><strong>Edit CA Trust</strong>: Click this button to specify trust
    settings for the certificate authority (CA) that issued the website
    certificate. These settings allow you to trust or not to trust different
    kinds of certificates issued by that certificate authority. For example,
    you can choose to trust all website certificates issued by the
    authority.</li>
</ul>

<p>Click OK to confirm your choice.</p>

<h3 id="delete_website_certificates">Delete Website Certificates</h3>

<p>Before deleting a server certificate from the
  <a href="#servers">Servers</a> tab in the Certificate Manager, make sure that
  you won&apos;t need it again for the purposes of identifying a website or
  mail server and setting up an encrypted connection.</p>

<h2 id="authorities">Authorities</h2>

<p>The Authorities tab in the <a href="#certificate_manager">Certificate
  Manager</a> displays the certificates you have on file that identify
  <a href="glossary.xhtml#certificate_authority">certificate authorities
  (CAs)</a>.</p>

<p>CA certificates are grouped under the names of the organizations that issued
  them. If you can&apos;t see certificate names under an organization&apos;s
  name, double-click the name to expand it.</p>

<p>Use the following buttons to view and manage your certificates (most actions
  require one or more certificates to be selected):</p>

<ul>
  <li><strong>View</strong>: Display detailed information about the selected
    certificates.</li>
  <li><strong>Edit</strong>: View or change the settings that Certificate
    Manager associates with the selected certificates. You can use these
    settings to designate what kinds of certificates, if any, you trust that
    are issued by the corresponding CAs.</li>
  <li><strong>Import</strong>: Import a file containing one or more
    certificates. When you click Import, Certificate Manager first asks you
    to locate the file that contains the certificate(s).</li>
  <li><strong>Export</strong>: Export the selected certificates. You can
    choose among various formats.</li>
  <li><strong>Delete</strong>: Delete the selected certificates.</li>
</ul>

<p>To ensure that an entire
  <a href="glossary.xhtml#certificate_chain">certificate chain</a> of CAs are
  all trusted, you need to edit the root CA certifiate only.</p>

<p>To import the chain, you click a link on a web page provided by the CA. You
  can then use the authorities tab to locate the root certificate and edit its
  trust settings.</p>

<p>The root and intermediate CAs all appear under the same organization. The
  root certificate is the one that lists itself as the issuer.</p>

<p><strong>If you download an intermediate CA</strong>: If you download an
  intermediate CA certificate that chains to a root certificate already marked
  as trusted in your browser, you don&apos;t have to indicate what purposes you
  trust it for. Intermediate certificates automatically inherit the trust
  settings of their roots.</p>

<h3 id="edit_ca_certificate_trust_settings">Edit CA Certificate Trust
  Settings</h3>

<p>When you select a CA certificate from the
  <a href="#authorities">Authorities</a> tab in the Certificate Manager and
  click Edit, you see a window entitled <q>Edit CA certificate trust
  settings</q>. Here you specify the kinds of certificates you trust this CA
  to certify. If you deselect all the checkboxes, Certificate Manager will not
  trust any certificates issued by this CA.</p>

<p>The settings have these effects:</p>

<ul>
  <li><strong>This certificate can identify websites</strong>: Certificate
    Manager will trust certificates issued by this CA for the purpose of
    identifying websites and encrypting website connections. If you deselect
    this checkbox, Certificate Manager will not trust website certificates
    issued by this CA.</li>
  <li><strong>This certificate can identify mail users</strong>: Certificate
    Manager will trust certificates issued by this CA for the purpose of
    signing or encrypting email. If you deselect this checkbox, Certificate
    Manager will not trust email certificates issued by this CA.</li>
  <li><strong>This certificate can identify software makers</strong>:
    Certificate Manager will trust certificates issued by this CA for the
    purpose of identifying software makers. If you deselect this checkbox,
    Certificate Manager will not trust such certificates issued by this
    CA.</li>
</ul>

<p>Click OK to confirm the settings you have selected.</p>

<h3 id="delete_ca_certificates">Delete CA Certificates</h3>

<p>Before deleting a CA certificate from the
  <a href="#authorities">Authorities</a> tab in the Certificate Manager,
  make sure that you won&apos;t need it again to validate certificates issued
  by that CA. If you delete the only valid certificate you have for a CA,
  Certificate Manager will no longer trust any certificates issued by that
  CA.</p>

<h2 id="others">Others</h2>

<p>The Others tab in the Certificate Manager displays certificates you have
  on file that do not fit in any of the other categories, i.e. certificates
  that neither belong to you, other people, servers or CAs.</p>

<p>Other certificates are grouped under the names of the organizations that
  issued them. If you can&apos;t see certificate names under an
  organization&apos;s name, double-click the name to expand it.</p>

<p>Use the following buttons to view and manage your certificates:</p>

<ul>
  <li><strong>View</strong>: Display detailed information about the selected
    certificates.</li>
  <li><strong>Export</strong>: Export the selected certificates. You can
    choose among various formats.</li>
  <li><strong>Delete</strong>: Delete the selected certificates.</li>
</ul>

<h2 id="device_manager">Device Manager</h2>

<p>This section describes the options available in the Device Manager window.
  For background information and step-by-step instructions on the use of the
  Device Manager, see
  <a href="using_certs_help.xhtml#managing_smart_cards_and_other_security_devices">Managing
  Smart Cards and Other Security Devices</a>.</p>

<p>If you are not currently viewing the Device Manager window, follow these
  steps:</p>

<ol>
  <li>Open the <span class="mac">&brandShortName;</span>
    <span class="noMac">Edit</span> menu and choose Preferences.</li>
  <li>Under the Privacy &amp; Security category, click Certificates. (If no
    subcategories are visible, double-click Privacy &amp; Security to expand
    the list.)</li>
  <li>In the Certificates panel, click Manage Security Devices.</li>
</ol>

<p>The Device Manager lists each available PKCS #11 module, and the security
  devices managed by each module below the module&apos;s name.</p>

<p>When you select a module or device, information about the selected item
  appears in the middle of the window, and some of the buttons on the right
  side of the window become available. In general, you perform an action on
  a module or device by selecting its name and clicking the appropriate
  button:</p>

<ul>
  <li><strong>Log In</strong>: Log into the selected security device. After you
    have logged in to the device, the frequency with which you will be asked to
    enter the master password for the device depends on the
    <a href="passwords_help.xhtml#master_password_timeout">Master Password
    Timeout</a> settings.</li>
  <li><strong>Log Out</strong>: Log out of the selected security device. After
    you have logged out of the device, the device and the certificates it
    contains will not be available until you log in again.</li>
  <li><strong>Change Password</strong>: Change the master password for the
    selected security device.</li>
  <li><strong>Load</strong>: Displays a dialog box that allows you to specify
    the name and location of a new PKCS #11 module. Before adding a new module,
    you should first install the module software on your computer and if
    necessary connect any associated hardware device. Follow the instructions
    provided by the vendor.</li>
  <li><strong>Unload</strong>: Unload the selected module. If you unload a
    module, both the module and its security devices are no longer available
    for use by the browser.</li>
  <li><strong>Enable FIPS</strong>: Turns the FIPS mode on and off. For more
    information, see
    <a href="using_certs_help.xhtml#enable_fips_mode">Enable FIPS
    Mode</a>.</li>
</ul>

</body>
</html>
